v1.4.1

2025-12-31 10:36:35 +08:00 · 2024-07-27 14:15:25 +08:00
parent be70925770
commit 5a17ae9d79
520 changed files with 2515 additions and 762 deletions
--- a/internal/db/models/acme/acme_task_dao.go
+++ b/internal/db/models/acme/acme_task_dao.go
@@ -4,6 +4,13 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
+	"net/http"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
 	acmeutils "github.com/TeaOSLab/EdgeAPI/internal/acme"
 	teaconst "github.com/TeaOSLab/EdgeAPI/internal/const"
 	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
@@ -21,15 +28,21 @@ import (
 	"github.com/iwind/TeaGo/logs"
 	"github.com/iwind/TeaGo/maps"
 	"github.com/iwind/TeaGo/types"
-	"net/http"
-	"time"
 )

 const (
 	ACMETaskStateEnabled  = 1 // 已启用
 	ACMETaskStateDisabled = 0 // 已禁用
+
+	ACMETaskStatusPending     = 0
+	ACMETaskStatusDone        = 1
+	ACMETaskStatusRunning     = 2
+	ACMETaskStatusIssueFailed = 3
 )

+var runningTaskMap sync.Map
+var serverBindMutex = &sync.Mutex{}
+
 type ACMETaskDAO dbs.DAO

 func NewACMETaskDAO() *ACMETaskDAO {
@@ -187,7 +200,7 @@ func (this *ACMETaskDAO) ListEnabledACMETasks(tx *dbs.Tx, userId int64, isAvaila
 }

 // CreateACMETask 创建任务
-func (this *ACMETaskDAO) CreateACMETask(tx *dbs.Tx, adminId int64, userId int64, authType acmeutils.AuthType, acmeUserId int64, dnsProviderId int64, dnsDomain string, domains []string, autoRenew bool, authURL string) (int64, error) {
+func (this *ACMETaskDAO) CreateACMETask(tx *dbs.Tx, adminId int64, userId int64, authType acmeutils.AuthType, acmeUserId int64, dnsProviderId int64, dnsDomain string, domains []string, autoRenew bool, authURL string, async bool) (int64, error) {
 	var op = NewACMETaskOperator()
 	op.AdminId = adminId
 	op.UserId = userId
@@ -210,6 +223,7 @@ func (this *ACMETaskDAO) CreateACMETask(tx *dbs.Tx, adminId int64, userId int64,
 	op.AuthURL = authURL
 	op.IsOn = true
 	op.State = ACMETaskStateEnabled
+	op.Async = async
 	err := this.Save(tx, op)
 	if err != nil {
 		return 0, err
@@ -281,7 +295,7 @@ func (this *ACMETaskDAO) UpdateACMETaskCert(tx *dbs.Tx, taskId int64, certId int

 // RunTask 执行任务并记录日志
 func (this *ACMETaskDAO) RunTask(tx *dbs.Tx, taskId int64) (isOk bool, errMsg string, resultCertId int64) {
-	isOk, errMsg, resultCertId = this.runTaskWithoutLog(tx, taskId)
+	isOk, errMsg, resultCertId = this.runTaskWithoutLog(tx, taskId, false)

 	// 记录日志
 	err := SharedACMETaskLogDAO.CreateACMETaskLog(tx, taskId, isOk, errMsg)
@@ -293,7 +307,7 @@ func (this *ACMETaskDAO) RunTask(tx *dbs.Tx, taskId int64) (isOk bool, errMsg st
 }

 // 执行任务但并不记录日志
-func (this *ACMETaskDAO) runTaskWithoutLog(tx *dbs.Tx, taskId int64) (isOk bool, errMsg string, resultCertId int64) {
+func (this *ACMETaskDAO) runTaskWithoutLog(tx *dbs.Tx, taskId int64, randomAcmeAccount bool) (isOk bool, errMsg string, resultCertId int64) {
 	task, err := this.FindEnabledACMETask(tx, taskId)
 	if err != nil {
 		errMsg = "查询任务信息时出错：" + err.Error()
@@ -308,6 +322,17 @@ func (this *ACMETaskDAO) runTaskWithoutLog(tx *dbs.Tx, taskId int64) (isOk bool,
 		return
 	}

+	if task.Status == ACMETaskStatusDone {
+		errMsg = "任务已完成"
+		return
+	}
+
+	// 设置执行中
+	err = this.UpdateStatus(tx, taskId, ACMETaskStatusRunning)
+	if err != nil {
+		logs.Error(err)
+	}
+
 	// ACME用户
 	user, err := SharedACMEUserDAO.FindEnabledACMEUser(tx, int64(task.AcmeUserId))
 	if err != nil {
@@ -323,6 +348,15 @@ func (this *ACMETaskDAO) runTaskWithoutLog(tx *dbs.Tx, taskId int64) (isOk bool,
 	if len(user.ProviderCode) == 0 {
 		user.ProviderCode = acmeutils.DefaultProviderCode
 	}
+
+	if randomAcmeAccount {
+		user, err = SharedACMEUserDAO.FindRandomACMEUserWithSameProvider(tx, user.ProviderCode)
+		if user == nil {
+			errMsg = "找不到ACME用户"
+			return
+		}
+	}
+
 	var acmeProvider = acmeutils.FindProviderWithCode(user.ProviderCode)
 	if acmeProvider == nil {
 		errMsg = "服务商已不可用"
@@ -515,3 +549,193 @@ func (this *ACMETaskDAO) runTaskWithoutLog(tx *dbs.Tx, taskId int64) (isOk bool,
 	isOk = true
 	return
 }
+
+// FindIssueACMETask 查找N小时内未执行的AcmeTask
+func (this *ACMETaskDAO) FindIssueACMETask(tx *dbs.Tx, hour int, limit int64, excludeTasks []int64) (result []*ACMETask, err error) {
+	if len(excludeTasks) == 0 {
+		excludeTasks = append(excludeTasks, 0)
+	}
+	var strIDs []string
+	for _, id := range excludeTasks {
+		strIDs = append(strIDs, strconv.FormatInt(id, 10))
+	}
+	_, err = this.Query(tx).
+		Attr("isOn", true).
+		Attr("async", true).
+		State(ACMETaskStateEnabled).
+		Where("FROM_UNIXTIME(createdAt, '%Y-%m-%d %H:%i')>:hoursAgo AND certId=0 and id NOT IN ("+strings.Join(strIDs, ",")+")").
+		Param("hoursAgo", time.Now().UTC().Add(-time.Duration(hour)*time.Hour).Format("2006-01-02 15:04")).
+		Param("now", time.Now().Unix()).
+		Slice(&result).
+		AscPk().
+		Limit(limit).
+		FindAll()
+	return
+}
+
+// UpdateStatus 更新状态
+func (this *ACMETaskDAO) UpdateStatus(tx *dbs.Tx, id int64, status int64) error {
+	_, err := this.Query(tx).
+		Pk(id).
+		Set("status", status).
+		Update()
+	return err
+}
+
+// RunTaskAndAutoBindServer 证书签发并绑定Server，记录日志
+func (this *ACMETaskDAO) RunTaskAndAutoBindServer(tx *dbs.Tx, taskId int64, domains []string) (isOk bool, errMsg string) {
+	_, ok := runningTaskMap.Load(taskId)
+	if ok {
+		return true, "" // 返回ok，异步任务无需继续执行
+	}
+
+	isOk, errMsg, resultCertId := this.runTaskWithoutLog(tx, taskId, true)
+
+	// 记录日志
+	err := SharedACMETaskLogDAO.CreateACMETaskLog(tx, taskId, isOk, errMsg)
+	if err != nil {
+		logs.Error(err)
+	}
+	if !isOk {
+		// 设置签发失败
+		err = this.UpdateStatus(tx, taskId, ACMETaskStatusIssueFailed)
+		if err != nil {
+			logs.Error(err)
+		}
+		return
+	}
+
+	// 签发成功
+	err = this.UpdateStatus(tx, taskId, ACMETaskStatusDone)
+	if err != nil {
+		logs.Error(err)
+	}
+
+	newCert, err := models.SharedSSLCertDAO.FindEnabledSSLCert(tx, resultCertId)
+	if err != nil {
+		logs.Error(err)
+		return
+	}
+
+	type ServerInfo struct {
+		SSLPolicyId int64
+		CertIds     []int64
+		UserId      int64
+		TlsConfig   *serverconfigs.HTTPSProtocolConfig
+	}
+	serverMap := map[int64]ServerInfo{}
+	domainChecked := map[string]bool{}
+
+	// 以下绑定cert到Server的逻辑加互斥锁，避免大量证书绑定到同一个Server时sslCertIds数据覆盖；以下绑定流程耗时不长
+	serverBindMutex.Lock()
+	defer serverBindMutex.Unlock()
+
+	// 获取域名需要绑定的SSLPolicy
+	for _, domain := range domains {
+		if _, ok := domainChecked[domain]; ok {
+			continue
+		}
+		servers, err := models.SharedServerDAO.FindUserServerByServerName(tx, domain)
+		if err != nil {
+			continue
+		}
+		for _, server := range servers {
+			var serverNames []string
+			err = json.Unmarshal(server.PlainServerNames, &serverNames)
+			if err != nil {
+				continue
+			}
+			for _, sn := range serverNames {
+				domainChecked[sn] = true
+			}
+			tlsConfig := server.DecodeHTTPS()
+			if tlsConfig == nil {
+				continue // 跳过，其他有HTTPS的正常执行
+			}
+			if tlsConfig.SSLPolicyRef != nil {
+				sslPolicyConfig, err := models.SharedSSLPolicyDAO.ComposePolicyConfig(tx, tlsConfig.SSLPolicyRef.SSLPolicyId, false, nil, nil)
+				if err != nil {
+					continue
+				}
+				if sslPolicyConfig != nil {
+					var certIds []int64
+					for _, cert := range sslPolicyConfig.Certs {
+						// 新签发的证书如果包含所有旧证书的域名则不再绑定旧证书，并禁用旧证书避免触发续签
+						if utils.ListIsGreaterEqualThanOther(domains, cert.DNSNames) && cert.TimeEndAt < int64(newCert.TimeEndAt) {
+							err = models.SharedSSLCertDAO.DisableSSLCert(tx, cert.Id)
+							if err != nil {
+								logs.Error(err)
+							}
+							continue
+						}
+						certIds = append(certIds, cert.Id)
+					}
+					certIds = append(certIds, resultCertId)
+					serverMap[int64(server.Id)] = ServerInfo{
+						UserId:      int64(server.UserId),
+						SSLPolicyId: sslPolicyConfig.Id,
+						CertIds:     certIds,
+						TlsConfig:   tlsConfig}
+					continue
+				}
+			}
+			serverMap[int64(server.Id)] = ServerInfo{CertIds: []int64{resultCertId}, TlsConfig: tlsConfig, UserId: int64(server.UserId)}
+		}
+	}
+
+	for serverId, serverInfo := range serverMap {
+		var certRefs []*sslconfigs.SSLCertRef
+		certExists := make(map[int64]bool)
+		for _, certId := range serverInfo.CertIds {
+			if !certExists[certId] {
+				certRefs = append(certRefs, &sslconfigs.SSLCertRef{
+					IsOn:   true,
+					CertId: certId,
+				})
+				certExists[certId] = true
+			}
+		}
+
+		certRefsJSON, err := json.Marshal(certRefs)
+		if err != nil {
+			logs.Errorf("解析证书错误：%s", err.Error())
+			continue
+		}
+		if serverInfo.SSLPolicyId == 0 {
+			policyId, err := models.SharedSSLPolicyDAO.CreatePolicy(tx,
+				0, serverInfo.UserId, false, false,
+				"TLS 1.1", certRefsJSON,
+				nil, false, 0,
+				nil, false, nil)
+			if err != nil {
+				logs.Errorf("创建SSL策略错误：%s", err.Error())
+				continue
+			}
+			httpsConfig := serverInfo.TlsConfig
+			httpsConfig.SSLPolicyRef = &sslconfigs.SSLPolicyRef{
+				IsOn:        true,
+				SSLPolicyId: policyId,
+			}
+			httpsJSON, err := json.Marshal(httpsConfig)
+			if err != nil {
+				logs.Errorf("获取https信息错误：%s", err.Error())
+				continue
+			}
+			err = models.SharedServerDAO.UpdateServerHTTPS(tx, serverId, httpsJSON)
+		} else {
+			policy, err := models.SharedSSLPolicyDAO.FindEnabledSSLPolicy(tx, serverInfo.SSLPolicyId)
+			if err != nil {
+				logs.Errorf("获取SSL策略错误：%s", err.Error())
+				continue
+			}
+			err = models.SharedSSLPolicyDAO.UpdatePolicy(tx, serverInfo.SSLPolicyId, policy.Http2Enabled, policy.Http3Enabled,
+				policy.MinVersion, certRefsJSON, policy.Hsts, policy.OcspIsOn == 1, int32(policy.ClientAuthType), policy.ClientCACerts, policy.CipherSuitesIsOn == 1, nil)
+			if err != nil {
+				logs.Errorf("更新SSL策略错误：%s", err.Error())
+				continue
+			}
+
+		}
+	}
+	return
+}